Online card fraud: balancing convenience and security

The opportunities to do business online continue to grow, but card fraud remains a concern. Phil Thomas, Senior Manager, Lloyds Bank Cardnet, explains how business owners can protect themselves without compromising ease of use for their customers – and how Lloyds Bank Cardnet can help.

“The UK is the biggest card payments market in the European Union, with Britain accounting for more than 30% of all EU card spending and 73% of the EU credit card market.1

The good news is that overall rates of card fraud are in decline. In 2014, fraud losses in UK cards totalled £479m, down 27% from its peak in 2008. However, the rise of online shopping means CNP (cardholder not present) fraud is still an issue, with £331.1m lost in 2014 alone.2

What’s driving online card fraud?

One reason behind CNP fraud is consumers’ desire for convenience. The more security you put into a payment system, the more steps to making a purchase you potentially create for your customer, and the more likely they are to drop out during the transaction. If their experience is unduly clunky, the consumer may decide to go elsewhere and that can make it easy for a merchant to lean towards convenience over security.

If a merchant does not verify the address of the customer, they could leave themselves vulnerable

Another factor is that a lot of small businesses do not always understand their responsibilities and what they might be responsible for in the event of a fraudulent transaction. But if a merchant does not perform basic checks, such as verifying the address of the customer, for example, they could leave themselves vulnerable.

The impact of fraud can be sizable, including revenue loss, fraud handling costs, fines for breaching acceptable fraud levels and reputational damage. So it is vital for business owners to find the right balance between security and convenience.

What can business owners do to tackle fraud?

There are some basic steps that small business owners should be aware of:

Ensure virus protection software is installed on the website. That will make it much harder for customer details to be attacked or compromised.

From a data security point of view, ensure the business is Payment Card Industry Data Security Standard (PCI DSS) compliant.

If you are thinking about adopting alternative non-card based payment methods, check their policies on chargeback – the process that is followed when a transaction is disputed. Not all payment methods have the same chargeback process; each one has its own nuances, and it is important to be aware of them.

What support can acquiring services provide?

Acquirers can help small business owners in a number of ways. When customers are entering their card details, they will typically perform checks to ensure the card is legitimate and belongs to the person attempting to make the purchase.

One way for business owners to combine convenience with security is to embed 3D Secure into their company website

Lloyds Bank Cardnet can also assist in helping a business attain PCI DSS compliance, which is mandatory and especially important for businesses selling online to ensure that cardholder details are kept secure.

One way for business owners to combine convenience with security is to embed 3D Secure, an additional security layer, into their company website. This gives the 3D Secure page the same look and feel as the rest of the website, helping to reduce confusion and smooth the customer journey.

Introducing Cyberstreetwise

Lloyds Bank Cardnet is also part of Cyberstreetwise, a government-led initiative to address the issue of remote fraud against small and medium-sized businesses.

There is a whole section of the Cyberstreetwise website for business owners, with specific videos for merchants selling online. The site gives advice on issues such as the need for a secure socket layer – known as an SSL – to create an encrypted channel between the client and the merchant’s website. That is considered the gold standard of online security.”

Tips to combat card fraud

Ensure you have clear refund policies on your website to avoid unnecessary disputes that can be Trojan horses for fraud

Make sure you have a clear description of your products and services and a clear refund policy, for the same reason

Arrange for your business to become PCI DSS compliant. If you’re not sure how, Lloyds Bank Cardnet can help

Set up an additional layer of security, such as 3D Secure, with the same look and feel as the rest of your website

Get our top insights to help your business by signing up to our Thought Leadership and Market Updates. From the latest retail trends to payment regulation, our experts will keep you up to speed. Please enter your email below if you would like to receive our Thought Leadership and Market Updates.

Your information will be held be Lloyds Bank plc trading as Cardnet, part of the Lloyds Banking Group. More information on the Group can be found at lloydsbankinggroup.com.

Please scroll down in order to confirm acceptance of our Terms and Conditions

Who looks after your personal information

Your personal information will be held by Cardnet which trades as Cardnet, part of the Lloyds Banking Group.
More information on the Group can be found at www.lloydsbankinggroup.com

How we use your personal information

We will use your personal information:
to provide products and services, manage your relationship with us and comply with any laws or regulations we are subject to (for example the laws that prevent financial crime or the regulatory requirements governing the products we offer).
for other purposes including improving our services, exercising our rights in relation to agreements and contracts and identifying products and services that may be of interest.
To support us with the above we analyse information we know about you and how you use our products and services, including some automated decision making. You can find out more about how we do this, and in what circumstances you can ask us to stop, in our full privacy notice.

Who we share your personal information with

Your personal information will be shared within Lloyds Banking Group and other companies that provide services to you or us, so that we and any other companies in our Group can look after your relationship with us. By sharing this information it enables us to better understand our customers’ needs, run accounts and policies, and provide products and services efficiently. This processing may include activities which take place outside of the European Economic Area. If this is the case we will ensure appropriate safeguards are in place to protect your personal information. You can find out more about how we share your personal information with credit reference agencies below and can access more information about how else we share your information in our full privacy notice.

Where we collect your personal information from

We will collect personal information about you from a number of sources including:
information given to us on application forms, when you talk to us in branch, over the phone or through the device you use and when new services are requested.
from analysis of how you operate our products and services, including the frequency, nature, location, origin and recipients of any payments.
from or through other organisations (for example card associations, credit reference agencies, insurance companies, retailers, comparison websites, social media and fraud prevention agencies).
in certain circumstances we may also use information about health or criminal convictions but we will only do this where allowed by law or if you give us your consent.

You can find out more about where we collect personal information about you from in our full privacy notice.

Do you have to give us your personal information

We may be required by law, or as a consequence of any contractual relationship we have, to collect certain personal information. Failure to provide this information may prevent or delay us fulfilling these obligations or performing services.

What rights you have over your personal information

The law gives you a number of rights in relation to your personal information including:
the right to access the personal information we have about you. This includes information from application forms, statements, correspondence and call recordings.
the right to get us to correct personal information that is wrong or incomplete.
in certain circumstances, the right to ask us to stop using or delete your personal information.
from 25 May 2018 you will have the right to receive any personal information we have collected from you in an easily re-usable format when it’s processed on certain grounds, such as consent or for contractual reasons. You can also ask us to pass this information on to another organisation.
You can find out more about these rights and how you can exercise them in our full privacy notice.

Other individuals you have financial links with

We may also collect personal information about other individuals who you have a financial link with. This may include people who you have joint accounts or policies with such as your partner/spouse, dependents, beneficiaries or people you have commercial links to, for example other directors or officers of your company. We will collect this information to assess any applications, provide the services requested and to carry out credit reference and fraud prevention checks. You can find out more about how we process personal information about individuals with whom you have a financial link in our full privacy notice.

How we use credit reference agencies

In order to process your application we may supply your personal information to credit reference agencies (CRAs) including how you use our products and services and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We may also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time, information on funds going into the account, the balance on the account and, if you borrow, details of your repayments or whether you repay in full and on time. CRAs will share your information with other organisations, for example other organisations you ask to provide you with products and services. Your data will also be linked to the data of any joint applicants or other financial associates as explained above.
You can find out more about the identities of the CRAs, and the ways in which they use and share personal information, in our full privacy notice.

How we use fraud prevention agencies

The personal information we have collected from you and anyone you have a financial link with may be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in our full privacy notice.

Our full privacy notice

It is important that you understand how the personal information you give us will be used. Therefore, we strongly advise that you read our full privacy notice, which you can find at https://lloydsbankcardnet.com/privacy/ or you can ask us for a copy.

How you can contact us

If you have any questions or require more information about how we use your personal information please contact us using https://lloydsbankcardnet.com/. You can also call us on 01268 567100. If you feel we have not answered your question Lloyds Banking Group has a Group Data Privacy Officer, who you can contact on 01268 567100 and tell us you want to speak to our Data Privacy Officer.

Version Control

This notice was last updated in April 2018.

Please tick this box if you wish to receive marketing information about Cardnet from Lloyds Bank plc trading as Cardnet, part of the Lloyds Banking Group.

Cardnet® is a registered trademark of Lloyds Bank plc.
We may monitor or record calls to make sure we have carried out your instructions correctly and to help improve the quality of our service.
Please remember we cannot guarantee the security of messages sent by email.
By using www.lloydsbankinggroup.com you agree to the outlined use of cookies in our cookie notice.
Lloyds Bank plc and Bank of Scotland plc (member of Lloyds Banking Group) are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
Authorisation can be checked on the Financial Services Register at www.fca.org.uk